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REMARKS 

The Applicants and [lie umlei si£rifttl thank rxaminer Son for his time and consideratiotl 
given during the telephonic interview of August 15, 2006, and for his c^efli) review of this 
application. After entry of this A-mKnchncnl, Claiius 1-59 aic pending in the present appUoalion, 
with Claims K 16, 27» 34, and 49 being independent. AppUcants have amended Gaims I, 16, 
27, 34, and 49 herein. Th<s Applicant*; hdicvc that no new matter has been added to this 
application. 

Consideration of the prcsciil appJii^tion is rtspcctfiilly requested in li^t of tho abovo 
amendments to the application cmd in view of the following remarks 

>5ummaxy of Telep honic Interview of August 15. 2006 

The AppliL-auls <»iid the. underRigncd thank fixamincr Son for his time and consideration 
given during the telephonic interview of AuRUBt 15, 2006. Durii^ this telephonic interview, the 
differences between Che prior ail of leaud, U S. Patent Nf>. fi,flS8,a04 issued to Hill (hercinatlcr 
the "Hill reference"), and proposed amendments to the claims were discussed. 

The AppHi:Hnts' rcprdscnhttivc tsxplaiiied diat the Hill reference docs not provide any 
teaching of anolYzing and filtering security event data, as recited in amended indq>endeDt Claims 
I,l6,27,34.aiii149. 

Examiner Son undOTtood the differ^ices explained by AppUcanls' representative with 
rcspcxi lu the Hill icjfattuce aivl hft nndeistm-Mi what inventive ftaturcs the Applicants arc trying 
to claim. Examiner Sod indicated thai the AppUcants should fLmher define the term "security 
event data^' to clarify the type of data that is being analyzed and filtcfcd Examiner Son indicated 
that he would conduct an updated search on the technology when the Applicants submit a formal 
amendment containing amended language as discussed durmg the td^hnnic interview. 

The Applicants and the undersigned request Examiner Son to review this interview 
summary and to ^rovc it by writing "htemew Record OK** along with his initials and the date 
next to this summary in the margin as discussed in MPEP § 713.04. 
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AppHcatioaNo. 09/844,448 



Qaim Rejections 

In The Office Action dated April 20, 2006, the: KTcamincr rejected Claims 1-1 1, 13-22, 24- 
44^ 46-55, and 57-59 under 35 U-S.C § 102(e) as beinfi anticipated by the Hill rcfcraicc. 
Furthermore, Ihe Exaiuiiicx rejecte^i Oainis 12, 21, 45, and 56 under 35 U.S.C § 103(a) as 
allegedly being uniwitentable over Hili in view of an allefied obviousness rejection at the time of 
The invention for one having onlinHry skill in ilic atL 

'J he Applicants respectfully oflfers remarks to traverse these rejections. The Applicants 
will address eadi inJcpejudejit claim separately as the Applicants believes that each independent 
claun ifi separately patentable over the prior art of record. 

Independent Claim 1 

Tlw rejection of Claim I is rcspectfiilly traversed. It is respectfully 3uT?naittcd that the 
Mill reference fails to describe, leach, or suggest the combination of (1) generating seccirity 
event data comprising a plurality of alerts with a plurality of security devices at a first location in 
response to detecting a security event in a distributed computing environment; (2) providing one 
nr morr variables operable for analyzing and filtering the security event datn, the variables 
comprising at least one of a location of a security event, a source of security event, a destination 
address of the security event a security event type, a priority of a security event, and an 
idcnrification of a system thai detected a security event; (3) creating scope criteria by selecting 
one or more of the variables operable for analyzing and filtering the security event data; (4) 
collecting the security event data generated by the phirality of security devices located at the first 
location; (5) storing the collected security event data at a second location; (t>) analyzing and 
filtering (he collected security event data wiQi the scope criteria to pruduu* rrsult data; (7) 
transmitting the result data to one or more chents; and (8) displaying the result data compricing 
filtPTP-fl 'MpjIs based on the scope criteria, as recited in amended independent Claim 1 . 
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Ttie H ill Reference 

Tlie Hill rcfcrCTioc describes a dynamic iictwork security system (20) that responds to a 
security attack on a computer network (22) XvA^m^ ?i /luiltlplicity of compute nodes (24), The 
security system (20) mciudes a plurality of security agents (36) that concurrently detect 
occurrences of security evenls on associalo] computer rodcs (24). A processor (40) processes the 
security events that arc received liom the security agents (36) to form an attack sigoature of the 
attacL A network status display (4?) clispl»ys rnulli-ilimcusiojial attack status information 
representing the attack u) a two dimensional image to indicate the overall nature and severity of 
the attack. See Figure 1 ofihft Hill sysTjain reproduced below. 
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As shown in Figure 3 of the Hill reforCDCc below, a database (48) maintains the simulated 
attack information for a plurality of simulated attacks (52). Each of the simulated attacks (52) is 
a prediction of an attack type that may occur on n^ork (22). Simulated attacks (52) arc 
generated by an operator and scored in database (4S). Each shnulated anack (52) contains a 
trainii^ signahire (53) that is defined by a phirahty of security events (50) of at lea$t one security 
event type (56). Security events (50) are presented m database (48) in a column (58) as a 
percentage of security events per event type. 
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Li adcHtinn to security event types (56) and percentage of security events (50) per event 
type in colujim (58), training Bignamres (53) include location idciJ jfit=irs (rtO), Location identifiers 
(60) idcaltfy (lift /^odes (24) in netwoA (22) >fvhcrc security events may lake place. Location 
identifiers (60) are important for ascertaining an attack severity (61) for ear.h of sitrmlated attacks 
(52). AttarV sHvtdiy (61) is a level of security breach that one of sunuJatcd attacks (52) could 
cause computer network (22). 
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As shown in Figure 7 of the Hill reference belo^;^', a network status display (42) displays 
nnilti-dimensiond attack status information in a two dimensianal image to indicate the ov^I 
namre and severity of an attack. Hie network status display (42) presents a display map (66) and 
an attack status information list (108) showing security event type (56) and locotion identifiers 
(60) for an example attack (92). Tte netwoiic. status display (42) also prKKwiU m alUitk signaliirc: 
log (110) which provides current and histoncaJ perspective on a given attack record at various 

-17- 



22«8'RCVDAT8Q1/20(tfi 2:02:31 PM [Eastern D^^^^ 



AUG 21 2006 14:15 KING AND SPRLDING 404 572 5134 TO 3443tt0545G8 1 0500 P. 23 



mi ■ 



JlMf 

MV:: 



Application No. 09/844,448 

sample times. The attack signatures in log (11 U ) are the text equivalent of the two dimensional 
image as highlighted in display map (66). Iii aJdiliun, thft iifttwnrV stAbis display (42) includes 
an attack mitigation list (1 12) which is a catalogue of actions that a network manager may take in 
order to mitigate the example attack (92). 
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In summary, tbe Hill reference teaches generating simulated attacks that may occur on 
the netvi'ork. The simulated attacks comprise tnuning signaiures Ihsit dtsfine what type ufscctirily 
events are present in each attack. In respwi&e to the simulcsted attacks, the syetem in the Hill 
Ttif^nrnvM i\ia\ siihxuqiitimtly he IninHd lo ikl^ri and reKpoTid Id ac;Lua1 set:iiHLy aLUurks hy 
momtoiing and analyzing the network traffic data. Tn response to on actual security attack, the 
system iu iLc Hill irfcn^iiuc utui it::s>poud with hii Huliuii (Iidt cunrspuixls (u a ^diuulatcJ aliauk 
that is stored in the database, i'her&atler, the Hill reference can present a display xntip containing 
atl^k iiifunualiuiL Tliu:^ (lie Hill reference fails lii lcai:h fur pnividirig ittib ur ttidfc: vaHahlcN 
operable for analyzing; and filtering the security event data and it fails to teach creating scope 
criteria by selecting one or more of the variables operable for analyTnng and filtering the security 
event data and analyzing and filtering the collected security event data with the scope criteria to 
pncduce result data, wherein the security fiveitt data compcisfts a pbiialily of aleits tvilh a 
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• plurality of oecurily devices at a first location in response lu detei^ting a security event in a 
rtistrihutcd ccympiiting environment 

Therefore, the Hill inference, fails to tench gwicraling security event data comprising a 
plui-alicy of alerts with a plurality of sccunty devices at a first location in response to detecting a 
seciirity event in a distributed computinij enviionruculy auJ piovidiog one or more variables 
npcrahlc for analyzing and fikcring the security event data, OG reoited in amended independent 
□aim 1. Furthennore, the Hill reference fails to te^cb crrajilinir scijpc crilcna by selectuig one or 
more of the variables operable for analyzing and filtering the Geeurily event data and analyzing 
and filtering the collected security event data with Ibe sr^ope criteria to produce result dala^ as 
recited in amended independent Claim L 

In Kjjhl of the diflcraices between aniKiided iTidcpcndetit Claim 1 and the Hill reference, 
one of oidmary skill in the art recognizes that the Hill reference fails to describe, teach, or 
suggest the recitations as scl fortli In aiiieuded independent Claim I. Accordingly, 
reconsideration and withdrawal of this rojection are reepectfiilly requested. 

independent Claim 16 

Tlic n:jci:liiin cifniu'iij 16 is ies|)ectfully tiaveiscd It is respectfully stibmittcd that the 
Hill reference &ils to describe, teacb> or suggest the combination of: (1) generating seonrity 
event datA cninprifting a phn^ality of alerts with the plurality of security devices at a first location 
in response to detectnuR a security event in a distributed computing environmau; (2) providuig 
one or more variables operable for analyzing and filtering the security event data, the variables 
comprising at least one of a location of a security event, a source of security event, a destination 
address of the security event, a security event type, a prionty of a security event, and an 
idMitification of a system that detected a security events (3) aeating scope criteria by selecting 
one or more of the variables operable tor analyzing and filtering the security event data; (4) 
collecting security event data at a second location; (5) applying the scope criteria to the se^i^nrity 
event data at a third location to produce result data; (6) transmitting the resuft data to one or more 
cliriUs; awl (7) displaying the nsfult diita cuinprisdng illlcred alerts basal on the sc^upe criteria, 

recited in omended independent Claim 1 6. 
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Similar to the analysis of independent CUtiiu 1, Qie HiD rftfercncc fails tx) teach generating 
security event data, comprising a plurality oi alerts with a plurality of security devices at a first 
location in response to detecting a securiLy evcuL in a disttibutft^ cnmpntiyig cnviTtmmenty and 
then providing one or more variables operable for tmdyzing and filtering the security event data, 
a$ recited in amended independent CJaim 16. Furthcxmurc, Uit? Hill xft/ft<fini^ fails to teach 
creating scope criteria by selecting one or more of the variables operable for analyzing and 
filtering the seciuity event data, asrecrted in HTne^rdwl indq^cndciil Claim 16. 

in light of the differenoes between amended independent Qaim 16 and the Hill ref^^ce^ 
one. of onliuiiiy skill m the art iftcognizRs that, the Hill rcfcnence fails to describe, teach, or 
suggest the recitations as set forth in amended independent Claim^ 16. Accordingly, 
recoT)5itlftn4Ji(in nnd wirhdr^wal of this rcjculiiHi aic ces^jectfuHy requested. 

TrulcyeiidRnt naiin._27 

The rejection of Claim 27 is respectfully traversed. Ii is respectfully submitted that the 
Hill reference &ils to describe^ teach, or suggest a system that inoltxdcs: (1) a plurality of 
security devices operable for generating security event data comprising a plurality of alerts that 
are generated in rcspnasc to detecting a security cvc\rt in a distrihntcd computing environnicnt; 
(2) an event manager coupled to the security devices, the event manage operable for coUectini:; 
the security event data fiom the security devices and analyzing and fdtering the security event 
data with scope criteria comprising one or more definable variables operable fbr analysing and 
filtering the security event data, the variables coioprising at least one of a location of a security 
event, a source of security event, a destination address of the security event, a security event 
type, a priority of a security event, and an id^tification of a system that d^eeted a security 
event; and (3) one or more clients coupled to the event manager operable to perform an action in 
response to receiving analyzed security event data trom the event manager, as recited in 
amended independent Claim 27. 

Similar to the analysis of independent Claim I, the Hill reference iaild to teach generating 
Recnrity f!ve4it data d^nipiiSLug a plurality of alcrU (hat are generated in response to detecting a 
security event in a di^buted computing environment and analyzing ond filtering the secority 
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event data with scope criteria comprising one or more deJimibld vnriablt^s ui^ejaMft for fjnalyyJng 
and filtering the security event data, as recited in amended independent Claim 27. 

In light of the differences between amended independent Claim 27 «nc1 ihf. Hill rcfcrcfiuc, 
one of ordinary skill in the art recognizes that the Hill rctcrcncc fails to describe, teach, or 
suggest the recitationfi as set forth in amended independent Claim 27. Accordingly, 
reconsideration and withdrawal of this rejection arc respectfully requested, 

Independent Claiin 34 

The rqection of Qaim 34 is rcsptxUfully travciiicd. It is iespectfi)Uy snliinittKd that tlic 
Hill reference foils to describe, teach, or suggest the combinatioo of: (1) gen^^uing security 
cvtul ddla compiiisiug a phuality oC^iliftils with a plurality of secnrify devices at a first location in 
response to detecting a security event in a distributed computinfs environment; (2) providing one 
01 uiuie v^iablcs opeiabk foi analyziiig aiid niteiing the secuiity event data, the variables 
comprising at least one of a location of a security event, a source of security event, a destination 
address of the security event a security event type, a priority of a security event and an 
identification of a system that detected a security event; (3) creating scope criteria by selecting 
one or more of the variables opetahle fin ajiidy/ing and (lllciitig the se^cuiily event dala^ (4) 
collecting the security event data at a second location; (5) analyzing and filtermg the collected 
security event data with the scope criteria at a third location to produce result data; (6) 
iraniOTiittnig the result data to one or more clients; and (7) rendering the result data, in a 
manageable Ibiniat tor the one or more clients^ as recited in mncndcd independent Claim 34. 

SiTTiilHT to the analysis of independent Claim 1, the Hill re&rence fails to teach generating 
security event data comprising a plurahty of alerts with a plurality of security devices at a first 
localluu iu response to dclecdng a security event in a distributed computing emironment and 
then providing one or more variables operable for analyzing ond filtering the security event data, 
as recited Iu aiticiidcd independent CTlHim ^4. FiiTthmnore, the Hill references fails to teach 
creating scope criteria by selecting one or more of the voriobles operable for analyzing and 
filtering the security ervcnt dala and analy/Jng anr) filtering the uolleula] security evcnl dala with 
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tlie scope criteria at a third location to produce result data, as recited in amended independent 
Claim 31. 

Tn ligtit of the diflfcrcnccs between amended indq)cndcnt Claim 34 find the Hill reference, 
one of ordinary skill in the art recognizes that the Hill reference foils to describe, reach, or 
suggest the recitations as set jfbrth in amended indqjcndcnt Claim 34, Accordingly, 
reconsideration and withdrawal of this rejection are respectfully rtxiucstcd. 

Independent Claim 49 

The rejection of Claim 49 is rcspcctfiilly traversed. It is rcspcctftdly submitted that the 
Hill reference fails to describe, teach, or suggest the combination of: (1) generating security 
event data with a plurality of security devices m response to dctcctmg a security cv<ail m o 
dislribuled computing envirunmenl, Ihe stcimLy cvcnl Jala coiiiprissiiig it plurdlily of alcils; (?) 
transteiimg the socunty evont data tor storage in a database; (i) applying a scope criteria 
compri^injs one or more definable variables to Ihe secuiily event data fur analyzing; and fillcxiug 
the security event data to produce a tC3Ult, the variables comprising at least one of a location of a 
security event, a soinre of security event, a destination address of the security event, a security 
event type, a pnonty of a security event, and an identiiicatjon of a system that detected n security 
event; (4) <icccssliig die result wt Ji one ur murc clients coupled to an applicalirai server; and (5) 
displayiuR the resuh data comprising filtered aterte based on the scope criteria, as rwited in 
amended iuJcpcmdciU Gaim 49. 

Similar to the analysis of independent Claim 1, the Hill reference fails to teach generating 
sccuriiy event (IjOh wiih -a plurality of security devices in response to detecting a security ev^it in 
a distributed computing environment^ the security event data compnsmg a plurality of alerts and 
qjplying a scope criteria comprising one nr moift dftCafiblt! vHriablw lu ihc stJcurily event data 
for analyzing and filtering the security ev^ data to produce a result, as recited in amended 
indqjcndcnt Claim 49, 

In light of the differences b^een amended indq)andent Claim 49 and the Hill reference, 
one of ordinary skill in the ait recognizes that the Hill referenre fails to dcMrribe, leach, or 
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suggest the recitations as set forth in amended independent (Jiaim 49. Accordingly, 
reconsideration and withdrawal of this rejection are respecifuUy rcqucslcJ. 

Dependent Claims 2-15. 17-26, 28-33. 35-48. and 50-59 

The Applicants respcctfiilly submit that tbo above-identified dependent clainis are 
allowable because the independent claims frotn which they depend are pateDtable ovrt ihe difnl 
prior art reference. The Applicants also rcspccttiiUy submit that the recitations of those 
dependent claims are of patentable significance. 

In view of the foregoing, the Applicants respectfully request that the Examiner withdraw 
the pending rejections of dependent Claims 2-15, 17-26, 28-33, 35-4S, and 5n-.i9. 



4r.' 



CONCLUSION 

Applicants submit the ^rcgoing as a fall and complete response to the Non Final OfBce 
Aclion dated April 20, 2006. The Applicant and ihe Luidcxsi^cU ihuiik Examiurr Sou fur 
consideration of these remarks. Applieemts submit that this Amendment places the application in 
condition for allowance and respectfully request such action, 

if any issues exist that can be resolved with an Examiner's Amendment or a tclq^honc 
confeiedice, pkanje aoutael Ihc iiuJcreigujcd hI 404.572.4647. 
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